aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndreas Schneider <asn@cryptomilk.org>2015-02-02 14:14:12 +0100
committerAndreas Schneider <asn@cryptomilk.org>2015-02-02 17:32:18 +0100
commitafc9988c933ed74bd4c302d685f1b4d7e1960aab (patch)
tree193217bca85659535b0a5d5c9df47eca8844d2f1
parent2490404d4505ca49e2f8eb7914bb0b1e2d64db8d (diff)
downloadlibssh-afc9988c933ed74bd4c302d685f1b4d7e1960aab.tar.gz
libssh-afc9988c933ed74bd4c302d685f1b4d7e1960aab.tar.xz
libssh-afc9988c933ed74bd4c302d685f1b4d7e1960aab.zip
buffer: Improve argument checking in ssh_buffer_pack()
Signed-off-by: Andreas Schneider <asn@cryptomilk.org> Reviewed-by: Aris Adamantiadis <aris@0xbadc0de.be>
-rw-r--r--include/libssh/buffer.h15
-rw-r--r--include/libssh/priv.h24
-rw-r--r--src/buffer.c31
3 files changed, 62 insertions, 8 deletions
diff --git a/include/libssh/buffer.h b/include/libssh/buffer.h
index 2aebe7e7..1cc8196c 100644
--- a/include/libssh/buffer.h
+++ b/include/libssh/buffer.h
@@ -52,9 +52,18 @@ int buffer_add_u16(ssh_buffer buffer, uint16_t data);
int buffer_add_u32(ssh_buffer buffer, uint32_t data);
int buffer_add_u64(ssh_buffer buffer, uint64_t data);
int ssh_buffer_add_data(ssh_buffer buffer, const void *data, uint32_t len);
-int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer, const char *format, va_list ap);
-int _ssh_buffer_pack(struct ssh_buffer_struct *buffer, const char *format, ...);
-#define ssh_buffer_pack(buffer, format, ...) _ssh_buffer_pack((buffer),(format), __VA_ARGS__, SSH_BUFFER_PACK_END)
+
+int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer,
+ const char *format,
+ int argc,
+ va_list ap);
+int _ssh_buffer_pack(struct ssh_buffer_struct *buffer,
+ const char *format,
+ int argc,
+ ...);
+#define ssh_buffer_pack(buffer, format, ...) \
+ _ssh_buffer_pack((buffer), (format), __VA_NARG__(__VA_ARGS__), __VA_ARGS__, SSH_BUFFER_PACK_END)
+
int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer, const char *format, va_list ap);
int _ssh_buffer_unpack(struct ssh_buffer_struct *buffer, const char *format, ...);
#define ssh_buffer_unpack(buffer, format, ...) _ssh_buffer_unpack((buffer),(format), __VA_ARGS__, SSH_BUFFER_PACK_END)
diff --git a/include/libssh/priv.h b/include/libssh/priv.h
index 0e3bab5b..4adcf898 100644
--- a/include/libssh/priv.h
+++ b/include/libssh/priv.h
@@ -301,5 +301,29 @@ int match_hostname(const char *host, const char *pattern, unsigned int len);
*/
#define discard_const_p(type, ptr) ((type *)discard_const(ptr))
+/**
+ * Get the argument cound of variadic arguments
+ */
+#define __VA_NARG__(...) \
+ (__VA_NARG_(_0, ## __VA_ARGS__, __RSEQ_N()) - 1)
+#define __VA_NARG_(...) \
+ __VA_ARG_N(__VA_ARGS__)
+#define __VA_ARG_N( \
+ _1, _2, _3, _4, _5, _6, _7, _8, _9,_10, \
+ _11,_12,_13,_14,_15,_16,_17,_18,_19,_20, \
+ _21,_22,_23,_24,_25,_26,_27,_28,_29,_30, \
+ _31,_32,_33,_34,_35,_36,_37,_38,_39,_40, \
+ _41,_42,_43,_44,_45,_46,_47,_48,_49,_50, \
+ _51,_52,_53,_54,_55,_56,_57,_58,_59,_60, \
+ _61,_62,_63,N,...) N
+#define __RSEQ_N() \
+ 63, 62, 61, 60, \
+ 59, 58, 57, 56, 55, 54, 53, 52, 51, 50, \
+ 49, 48, 47, 46, 45, 44, 43, 42, 41, 40, \
+ 39, 38, 37, 36, 35, 34, 33, 32, 31, 30, \
+ 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, \
+ 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, \
+ 9, 8, 7, 6, 5, 4, 3, 2, 1, 0
+
#endif /* _LIBSSH_PRIV_H */
/* vim: set ts=4 sw=4 et cindent: */
diff --git a/src/buffer.c b/src/buffer.c
index be25a32f..5eb3bb56 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -688,7 +688,11 @@ struct ssh_string_struct *buffer_get_mpint(struct ssh_buffer_struct *buffer) {
* SSH_ERROR on error
* @see ssh_buffer_add_format() for format list values.
*/
-int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer, const char *format, va_list ap){
+int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer,
+ const char *format,
+ int argc,
+ va_list ap)
+{
int rc = SSH_ERROR;
const char *p;
union {
@@ -702,8 +706,14 @@ int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer, const char *format, va_
char *cstring;
bignum b;
size_t len;
+ int count;
+
+ for (p = format, count = 0; *p != '\0'; p++, count++) {
+ /* Invalid number of arguments passed */
+ if (count > argc) {
+ return SSH_ERROR;
+ }
- for (p = format; *p != '\0'; p++) {
switch(*p) {
case 'b':
o.byte = (uint8_t)va_arg(ap, unsigned int);
@@ -740,7 +750,10 @@ int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer, const char *format, va_
break;
case 'P':
len = va_arg(ap, size_t);
+
o.data = va_arg(ap, void *);
+ count++; /* increase argument count */
+
rc = ssh_buffer_add_data(buffer, o.data, len);
o.data = NULL;
break;
@@ -769,6 +782,10 @@ int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer, const char *format, va_
}
}
+ if (argc != count) {
+ return SSH_ERROR;
+ }
+
if (rc != SSH_ERROR){
/* verify that the last hidden argument is correct */
o.dword = va_arg(ap, uint32_t);
@@ -799,12 +816,16 @@ int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer, const char *format, va_
* @warning when using 'P' with a constant size (e.g. 8), do not
* forget to cast to (size_t).
*/
-int _ssh_buffer_pack(struct ssh_buffer_struct *buffer, const char *format, ...){
+int _ssh_buffer_pack(struct ssh_buffer_struct *buffer,
+ const char *format,
+ int argc,
+ ...)
+{
va_list ap;
int rc;
- va_start(ap, format);
- rc = ssh_buffer_pack_va(buffer, format, ap);
+ va_start(ap, argc);
+ rc = ssh_buffer_pack_va(buffer, format, argc, ap);
va_end(ap);
return rc;
}